Posted by Mark Dowd on April 11, 2008 at 5:51 PM EDT.
Adobe released a security bulletin and a patch for Flash Player on Tuesday that addressed several security vulnerabilities, one of which was reported by myself as described in our advisory. Part of our vulnerability discovery process involves determining exploitability of bugs that we uncover, and this flash bug was no exception. Interestingly, this particular bug turned out to require some rather unique exploitation techniques. Now, as someone who writes such programs for a job, I can tell you that every exploit you write is unique in some way or another, but usually minor adaptations to generic methods suffice. In this instance though, several technical details of the bug basically ruled out using any of the more standard techniques. After an in-depth analysis, it turned out that the bug was indeed reliably exploitable. I have put together a paper that describes the exploitation method I utilized, which is an attack that takes advantage of functionality provided by the ActionScript Virtual Machine (AVM) - an integral part of Flash Player application. This paper is intended to give insight into how sufficiently complex applications can be leveraged in a unique way, so that the functionality of the application can be used to the attacker's advantage.
We feel that it is important to explain the exploitability of this new class of issues to ensure that our customers treat them with the right level of importance. It might be easy to look at this vulnerability and think that it doesn't really matter, and perhaps declare that it is not exploitable. When, in fact, it is just a doorway into a whole new class of threats that we expect to continue to mature over the coming months and years.